CyberWire Daily - More data exposures, from banks and a major CRM provider. Ransomware strikes back. The irresistibility of data. An unhackable wallet gets hacked…maybe. Spreading goodwill through Akido?
Episode Date: August 6, 2018Leaky API may have exposed Salesforce customers' data, TSMC reports a virus in its semiconductor plants. TCM Bank discloses a paycard application leak. Ransomware in Hong Kong. The US Census Bureau ...prepares to secure its 2020 "fully digital" census. The unbearable, irresistible urge to monetize data. Notes on automotive cybersecurity. Depending on whom you ask, the Bitfi wallet was either hacked, or not. And a new goodwill ambassador seeks to repair US-Russian relations. Rick Howard from Palo Alto Networks exploring the notion of superforecasting. For links to all of today's stories check out our CyberWire daily news brief: https://thecyberwire.com/issues/issues2018/August/CyberWire_2018_08_06.html Learn more about your ad choices. Visit megaphone.fm/adchoices
Transcript
Discussion (0)
You're listening to the Cyber Wire Network, powered by N2K.
Air Transat presents two friends traveling in Europe for the first time and feeling some pretty big emotions.
This coffee is so good. How do they make it so rich and tasty?
Those paintings we saw today weren't prints. They were the actual paintings.
I have never seen tomatoes like this.
How are they so red?
With flight deals starting at just $589,
it's time for you to see what Europe has to offer.
Don't worry.
You can handle it.
Visit airtransat.com for details.
Conditions apply.
AirTransat.
Travel moves us.
Hey, everybody.
Dave here.
Have you ever wondered where your personal information is lurking online?
Like many of you, I was concerned about my data being sold by data brokers.
So I decided to try Delete.me.
I have to say, Delete.me is a game changer.
Within days of signing up, they started removing my personal information from hundreds of data brokers.
I finally have peace of mind knowing my data privacy is protected.
Delete.me's team does all the work for you with detailed reports so you know exactly what's been done.
Take control of your data and keep your private life private by signing up for Delete.me.
Now at a special discount for our listeners.
private by signing up for Delete Me. Now at a special discount for our listeners,
today get 20% off your Delete Me plan when you go to joindeleteme.com slash n2k and use promo code n2k at checkout. The only way to get 20% off is to go to joindeleteme.com slash n2k and enter code
n2k at checkout. That's joindeleteme.com slash n2k code N2K at checkout. That's joindelete.me.com slash N2K, code N2K.
A leaky API may have exposed Salesforce customers' data.
TSMC reports a virus in its semiconductor plants.
TCM Bank discloses a paycard application leak, ransomware in Hong Kong, the unbearable, irresistible urge to monetize
data, notes on automotive cybersecurity, depending on whom you ask, the BitFi wallet was either
hacked or not, and a new Goodwill ambassador seeks to repair U.S.-Russian relations.
From the CyberWire studios at DataTribe, I'm Dave Bittner with your CyberWire summary for Monday,
August 6, 2018. Salesforce has warned customers that a leaky API may have inadvertently exposed their data.
The widely used customer relations management software provider says it found the problem on July 18th.
According to Salesforce's disclosure, the leak affected a subset of Marketing Cloud customers
who used its Marketing Cloud email studio and predictive intelligence products.
The source of the issue is thought to be, Salesforce says,
a code change the company rolled out in the first week of July.
There's been no evidence that the exposed data was illicitly obtained
or maliciously used by any bad actors.
But of course, absence of evidence isn't evidence of absence.
Sure, they say that about Bigfoot and remote viewing, but it's true nonetheless. In this case, affected customers would be well advised to take precautions,
perhaps heightened awareness to the possibility that their Salesforce data
might be used for social engineering. Late Friday, Taiwan Semiconductor Manufacturing Company,
TSMC, shut down operations after it was hit by what's been vaguely characterized
as a virus. More information is expected this week. TSMC is a major supplier of chips to Apple.
The company did say it was not the victim of a hacker, which might indicate that this issue was
either a glitch or the work of an insider. Again, more information is expected soon.
Taiwan is often the subject of Chinese industrial espionage
and other forms of cyber attack.
The preliminary reports have aroused the usual suspicions of the usual suspects,
but any attribution would be very premature.
TCM Bank, which provides about 750 community banks in the U.S. with an option to offer bank-branded credit cards,
disclosed that a misconfigured website exposed data on card applicants between March 2017 and July of this year.
The information includes names, addresses, dates of birth, and social security numbers.
A small number of Hong Kong healthcare IT systems have been infected with crypto ransomware.
There's no ransom demand reported yet,
so whether this is a serious criminal attempt or some casual side effect of some other activity is unknown.
The hood who's apparently behind Grand Crab ransomware is sore at Ahn Labs.
The South Korean cybersecurity company recently developed and made generally available a vaccine against his malware.
This understandably cut into his profits and, well, he's upset.
He's retaliated by sending bleeping computer an alleged zero day for an Ahn product.
by sending bleeping computer an alleged zero day for an on product.
With data drawing the attention of commercial criminal and intelligence services the way meat draws flies,
the U.S. Census Bureau is working to secure its 2020 census,
the first one to be fully digital, against data theft.
The attraction of data and the pull toward the monetization of information
would seem so strong as to be virtually irresistible.
We heard a strong case for this made Friday at the Billington Automotive Cybersecurity Summit
in Michael Chertoff's keynote address.
The former Secretary of Homeland Security and present head of the Chertoff Group
thinks that autonomous and connected cars, that is, the soon-to-arrive generation of vehicles
that are even more connected than the ones we drive today,
will collect enormous quantities of information that many will find irresistible.
That is, many will find the prospect of monetizing such data irresistible.
Chertoff pointed out early signs of insurers wishing for more data on how people are actually driving,
and he warned that this,
in some respects, legitimate interest could lead to unpleasant forms of surveillance
and loss of privacy. That criminals, too, would be interested in monetizing that data
goes without saying. Chertoff mentioned Silicon Valley's recent realizations that not everything
is ducky with response to the personal information the captains of digital industry currently sweep up, and he suggested that the automotive industry should
consider and learn from the experience of Facebook. One wonders the extent to which
Facebook itself has fully reflected on and learned from its own experience.
Unless Facebook, as Talleyrand is supposed to have said of France's restored bourbon monarchy,
has forgotten nothing and learned nothing,
there's an example of that pull in the social media giant's recently disclosed approach to banks.
They'd like ways of gaining access to customer financial information through their platform,
the better to provide goods, services, and an advertising demographic
that would be susceptible to rifle-shot marketing.
The banks are said in the Wall Street Journal's account
to be leery of the approach, as well they might be.
Another keynote address at the Billington Summit
might give social media pause.
Senator Gary Peters, Democrat of Michigan,
in an aside during his discussion of coming legislation
that would provide a more permissive,
more innovation-friendly suite of automotive regulations,
observed that it might be time to consider treating some IT firms as utilities,
particularly those social media platforms that enjoyed quasi-monopolistic market share.
Back on July 24th, John McAfee, cybersecurity pioneer, cultural gadfly, and sometime candidate for the Libertarian Party's nomination for the traditional poker table smack talk,
money talks, baloney walks, which we balderize because we're a family show.
BitFi anteed up a quarter million of its own to sweeten the pot.
Anywho, about a week later, it was reported that some guys said, yeah, they hacked it,
and there's now a dispute over whether BitFi was or was not successfully hacked.
CNET describes the hackers as led by a self-described IT geek in the Netherlands
who uses the handle at OversoftNL.
On Wednesday, he tweeted that he and his chums at Cyber Gibbons,
that's Andrew Tierney of Pentest Partners,
and at G. Suberland, that's Graham Sutherland,
had popped open a BitFi, which they described as a stripped-down Android phone,
and they got root access to it.
So they wanted to claim the pot,
but Mr. McAfee is having none of
it because going root doesn't count. We quote, the press claiming the BitFi wallet has been hacked.
Utter nonsense. The wallet is hacked when someone gets the coins. No one got any coins. Gaining
root access in an attempt to get the coins is not a hack, it's a failed attempt. All these alleged hacks did not get the coins.
For it to be a hack in the relevant sense,
the hackers needed to get all the coins, which they didn't.
Team Oversoft NL, for its part, isn't buying that either,
and have denounced the whole bounty as a sham,
because if getting root access doesn't count as a hack, what does?
We're not sure who
adjudicates such things, but we're pretty sure some member of the plaintiff's bar has a few ideas.
Finally, in news that will come as a relief to all peace-loving peoples, the BBC reports that
Russia's foreign ministry has announced the appointment of Steven Seagal as an unpaid
goodwill ambassador to the United States. In the capacity, Mr. Seagal as an unpaid Goodwill ambassador to the United States.
In the capacity, Mr. Seagal, who was granted some form of Russian citizenship in 2016,
will work to reduce bilateral tensions between Moscow and Washington
that have seen so much play in cyberspace of late.
The Cyber Wire's political science desk, which has long been an admirer of Mr. Seagal, especially his signature role as the Glimmer Man, thinks this appointment a better one than Mr. Dennis Rodman's former association with North Korean leader Kim Jong-un.
We await news of an appropriate response from the U.S. State Department.
department. and showing the world what AI was meant to be. Let's create the agent-first future together.
Head to salesforce.com slash careers to learn more.
Do you know the status of your compliance controls right now?
Like, right now.
We know that real-time visibility is critical for security,
but when it comes to our GRC programs, we rely on point-in-time checks. But get this.
More than 8,000 companies like Atlassian and Quora
have continuous visibility into their controls with Vanta.
Here's the gist.
Vanta brings automation to evidence collection across 30 frameworks,
like SOC 2 and ISO 27001.
They also centralize key workflows like policies, access reviews, and reporting,
and helps you get security questionnaires done five times faster with AI.
Now that's a new way to GRC.
Get $1,000 off Vanta when you go to vanta.com slash cyber. That's vanta.com slash
cyber for $1,000 off. And now a message from Black Cloak. Did you know the easiest way for cyber criminals to bypass your company's defenses is by targeting your executives and their families at home?
Black Cloak's award-winning digital executive protection platform secures their personal devices, home networks, and connected lives.
Because when executives are compromised at home, your company is at risk.
In fact, over one-third of new members discover they've already been breached.
Protect your executives and their families 24-7, 365 with Black Cloak. Learn more at blackcloak.io.
And joining me once again is Rick Howard.
He's the chief security officer at Palo Alto Networks.
He also heads up Unit 42, which is their threat intel team.
Rick, welcome back.
I had a term come across my desk recently that I wasn't familiar with.
It was super forecasting, and I thought this was something that I could check in with you on.
Bring me up to date here.
What are we talking about?
Well, we're talking about risk analysis or risk assessment.
And I picked up super forecasting because of a book I read a couple of years ago.
It's called Super Forecasting, the Art and Science of Prediction by Philip Tetlock and Dan Gardner.
And I love these guys have been writing about forecasters of things. And how does that
apply? It applies to the intelligence community. It applies to business assessing risk and all that.
And the reason Dr. Tetlock got interested in this back in the early 2000s was that he's watching
CNN and CNN rolled out a pundit to talk about some issue. And they rolled him out because he got
something right once in his career.
But he's been wrong ever since. OK, every time he's predicting something after that, it's been
wrong. So Dr. Tedlock gets angry at this. I wonder if we can measure this. How can we not keep score
for, you know, pundits who forecast things? So he brings in three groups, an intelligence community,
the academic community and a group he called the soccer moms.
Now, they weren't really soccer moms. They were, you know, older people had time to solve problems.
And he gave them 500 really hard problems to forecast. Things like, will President Putin
get assassinated in the next three years? What's the probability of that, right? And he graded them
over five years. And who do you think wins this big contest?
I'm going to go out on a limb here and say soccer moms.
I think I buried the lead. They did by 40%. Okay. I mean, 40%. And there's lots of reasons for that,
that Dr. Tetlock talks about in his book. But there's a couple of things I got out of that book
that I wasn't doing in my own risk assessments, right? And the first one was, you have to time bound your predictions.
You just can't go to your board and say, you know, I think we might get hacked. Sure. Okay.
That's going to happen. But if you change the question, it says, I think the probability
of us being hacked in the next three years is, you know, 2%. That's a different problem. All
right. So that's the
first thing I learned from all this. And as I was going through that book and a couple of other
books that have taken up the banner here, and those two books are Measuring and Managing
Information Risk, A Fair Approach by Jack Freund and Jack Jones, and How to Measure Everything in
Cybersecurity by Doug Hubbard and Richard Syerson.
These guys have all gotten on the bandwagon with Dr. Tetlock about how to be more precise in how you assess risk, right?
And so after reading all these things, I've realized that I have been doing this wrong for 25 years, okay?
And most of us do it this way.
We create these heat maps, these risk heat maps heat maps with you know down the x-axis is
how likely is something to happen and on the y-axis is how impactful it's going to be right
and we we rate these risks that we have some from anywhere from 10 to 150 things things that could
potentially go wrong in our enterprises right we mean we rate them high, medium, or low, or red, yellow, and green. And then we
sort them by color. So the red drifts up and to the right, and the green sinks down and to the
left. That's why they're called heat maps. But if anybody in my leadership chain would have said,
gee, Rick, why is this one red versus yellow? I might have said something like, blah, blah, blah,
25 years experience, trust me, give me money.
Admittedly, that has worked many of the times, but 25 years down my career, I'm thinking that there's got to be a better way to do this.
It turns out there is.
If you read these books, you will find a couple of things that we need to be changing on how we think about risk in our own enterprise.
And the first one is risk is a measurement of uncertainty.
And it is a high confidence probability that we can calculate.
It doesn't have to be high, medium and low.
And it turns out that there's a ream of research that shows that qualitative heat maps like the one i just described is just bad science
right and the reason it is is that your definition of what high probability is is different from what
my definition of what high probability is even if i tell you that high probability is between 90 and
100 percent your your cognitive bias is going to do to what you think it is and don't go by what the rules are. So we need to throw that entire model out completely. Right. And then the second one
is that all risk measurements should be time bound. Okay. So we should be saying things like,
what is the likelihood of a certain cyber event happening in the future? Okay. So,
so there's a difference then. Okay. And you would say things like what is the probability that your organization will experience a material breach in the next three years?
That's the kind of question we should be asking ourselves. And instead of the word likelihood, you use the precise mathematical term probability.
Now, don't get freaked out on me. OK, I'm not going to try to explain probability and stats this morning.
OK, good, because I won't be able to.
But at least it's a more precise term.
And so instead of saying a cyber event is going to happen in the future, you say material breach.
And material is important because not all breaches are that big of a deal.
If some bad guy hacks my website, I'm going to be embarrassed a little bit, but it's not material to my organization.
However, if a different bad guy comes in and steals my intellectual property, I might get fired.
So it has to be material to the business.
And thirdly, instead of saying that sometime in the future, it's got to be some time-bound thing like I talked about before.
So you might be saying, geez, Rick, how do you get
all those numbers? If it's going to be mathematically precise, where am I going to get all
this math? Aren't you just making it up anyway? Well, it turns out
there are some mathematical tricks you can do to give yourself some more
precision. Now, you've heard of things like Bayes' algorithm
and Monte Carlo simulations.
Sure. Yes. Okay. Now, they sound really scary. They're not that hard. Okay. They really aren't.
Even I can figure it out. You can do most of this in a spreadsheet, right? And so I'm saying that
we should change our minds about how we are assessing risk and give it some more precision
going forward. Now, I did all this.
I got all this together. Me and the co-author of How to Measure Anything in Cybersecurity,
Mr. Syerson, wrote a white paper and presented this at the RSA conference a few months ago.
So if anybody's interested in all that, I can give you a lot more detail. Just hit me up and
I will pass it along to you. All right. It's certainly stuff to think about.
As always, Rick Howard, thanks for joining us.
Thank you, sir.
Cyber threats are evolving every second, and staying ahead is more than just a challenge.
It's a necessity.
That's why we're thrilled to partner with ThreatLocker, a cybersecurity solution trusted by businesses worldwide. ThreatLocker is a full
suite of solutions designed to give you total control, stopping unauthorized applications,
securing sensitive data, and ensuring your organization runs smoothly and securely.
Visit ThreatLocker.com today to see how a default deny approach
can keep your company safe and compliant.
And that's the Cyber Wire.
For links to all of today's stories,
check out our daily briefing at thecyberwire.com.
And for professionals and cybersecurity leaders who want to stay abreast of this rapidly evolving field, sign up for Cyber Wire Pro.
It'll save you time and keep you informed.
Listen for us on your Alexa smart speaker, too.
The Cyber Wire podcast is proudly produced in Maryland out of the startup studios of DataTribe, where they're co-building the next generation
of cybersecurity teams and technologies.
Our amazing CyberWire team is Elliot Peltzman,
Puru Prakash, Stefan Vaziri, Kelsey Vaughn,
Tim Nodar, Joe Kerrigan, Carol Terrio, Ben Yellen,
Nick Volecki, Gina Johnson, Bennett Moe, Chris Russell,
John Petrick, Jennifer Iben, Rick Howard, Peter Kilpie,
and I'm Dave Bittner.
Thanks for listening. We'll see you back here tomorrow.
Your business needs AI solutions that are not only ambitious, but also practical and adaptable.
That's where Domo's AI and data products platform comes in.
With Domo, you can channel AI and data into innovative uses that deliver measurable impact.
Secure AI agents connect, prepare, and automate your data workflows, helping you gain insights, receive alerts,
and act with ease through guided apps tailored to your role. Data is hard. Domo is easy. Learn more at ai.domo.com. That's ai.domo.com.